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DETAILED ACTION 



This office action is in response to Request for Reconsideration filed October 6, 
2003. Claims 1-21 are presented for further examination. 

Claim Rejections - 35 USC § 102 

1 . The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public 
use or on sale in this country, more than one year prior to the date of application for patent in the United 



2. Claim 1 is rejected under U.S.C. 102(b) as being anticipated by Hu. 

As per claim 1 , Hu discloses a method of enabling a client terminal user to access 
target resources managed by a set of resource managers within an enterprise 
computing environment, comprising: 

• Authenticating the user to establish a user primary identity (column 1 , lines 52-55, 
column 2, lines 3-5, 30-35, 42-45, column 4, lines 23-28); 

• Mapping the user primary identity to a set of user secondary identities (column 2, 
lines 1-17, 20-25, 42-47, column 4, lines 44-55, column 5, lines 30-35, 60-67, 
column 6, lines 1-11, 17-30); 



states. 
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• Authenticating the user to the resource managers using the set of user secondary 
identities (column 2, lines 1-17, 20-25, 42-47, column 4, lines 44-55, column 5, lines 
30-35, 60-67, column 6, lines 1-11, 17-30); 

• Following authentication using the set of user secondary identities, forwarding 
resource requests to the resource managers (column 3, lines 59-65, column 4, lines 
52-55, column 6, lines 30-35); 

• Returning replies received from the resource managers back to the user (column 4 
lines 14-17, 55-58, column 6, lines 35-39). 

As per claim 2, Hu discloses: 

• The user primary identity is mapped to the set of user secondary identities by a sign- 
on service (column 2, lines 1-17, 20-25, 42-47, column 4, lines 44-55, column 5, 
lines 30-35, 60-67, column 6, lines 1-11, 17-30). 

As per claim 3, Hu discloses: 

• Authenticating the step of authenticating a trusted server to the sign-on service prior 
to mapping the user primary identity to the set of user secondary identities (column 
1, lines 52-55, column 2, lines 3-5, 30-35, 42-45, column 4, lines 23-28). 
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As per claim 4, Hu discloses: 

• The trusted server is authenticated to the sign-on service before the step of 
authenticating the user to establish the user primary identity (column 1, lines 52-55, 
column 2, lines 3-5, 30-35, 42-45, column 4, lines 23-28). 

As per claim 5, Hu discloses: 

• Trusted server is authenticated to the sign-on service after the step of authenticating 
the user to establish the user primary identity (column 1 , lines 52-55, column 2, lines 
3-5, 30-35, 42-45, column 4, lines 23-28) 

As per claim 6, Hu discloses: 

• The user is authenticated to establish the user primary identity using an 
authentication service associated with the trusted server (column 1 , lines 52-55, 
column 2, lines 3-5, 30-35, 42-45, column 4, lines 23-28) 
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As per claim 8, Hu discloses: 

• The client terminal user accesses the enterprise computing environment over the 
Internet (column 7, lines 40-45). 

As per claim 9, Hu discloses: 

• The user is authenticated to a given resource manager using an authentication 
service associated with the given resource manager (column 2, lines 1-17, 20-25, 
42-47, column 4, lines 44-55, column 5, lines 30-35, 60-67, column 6, lines 1-11, 17- 
30). 

As per claim 10, Hu discloses a method for enabling a client terminal user to access 
target resources managed by a set of resource managers operative within an enterprise 
computing environment, wherein the environment has an associated sign-on service, 
comprising: 

• Responsive to a request received from a user of the client terminal, authenticating 
the user to establish a user primary identity (column 1, lines 52-55, column 2, lines 
3-5, 30-35, 42-45, column 4, lines 23-28); 

• Using the user primary identity, accessing the sign-on service to retrieve a set of 
stored user authentication information, wherein the stored user authentication 
information comprises a set of user secondary identities (column 2, lines 1-17, 20- 
25, 42^7, column 4, lines 44-55, column 5, lines 30-35, 60-67, column 6, lines 1-11, 
17-30); 
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• Performing a sign-on to the set of resource managers using the retrieved set of user 
secondary identities (column 2, lines 1-17, 20-25, 42-47, column 4, lines 44-55, 
column 5, lines 30-35, 60-67, column 6, lines 1-11, 17-30); 

• Forwarding the request to a given resource manager (column 3, lines 63-65, column 
4, lines 53-55, column 6, lines 31-35); 

• Forwarding a reply received from the given resource manager back to the user 
(column 4 lines 14-17, 55-58, column 6, lines 35-39). 

As per claim 1 1 , Hu discloses a method for enabling a client terminal user to access 
target resources managed by a set of resource managers operative within an enterprise 
computing environment, wherein the environment has an associated sign-on service, 
comprising: 

• Having the client terminal user perform primary logon to an intermediary server to 
establish a user primary identity (column 1, lines 52-55, column 2, lines 3-5, 30-35, 
42-45, column 4, lines 23-28); 

• Having the intermediary server pass the user's primary identity to the sign-on service 
and in response, obtaining a set of user secondary identities that may be used in 
enabling the intermediary server to represent the client terminal user to the resource 
managers (column 2, lines 1-17, 20-25, 42-47, column 4, lines 44-55, column 5, 
lines 30-35, 60-67, column 6, lines 1-11, 17-30); 
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• Having the intermediary server perform a secondary logon to a first resource 
manager using a first user secondary identity (column 2, lines 1-17, 20-25, 42-47, 
column 4, lines 44-55, column 5, lines 30-35, 60-67, column 6, lines 1-11, 17-30); 

• Having the intermediary server perform a secondary logon to a second resource 
manager using a second user secondary identity (column 2, lines 1-17, 20-25, 42- 
47, column 4, lines 44-55, column 5, lines 30-35, 60-67, column 6, lines 1-11, 17- 
30); 

• Having the intermediary server perform resource requests at the first and second 
resource managers under the respective secondary identities (column 3, lines 63-65, 
column 4, lines 53-55, column 6, lines 31-35); 

• Forwarding responses back to the client terminal user (column 4 lines 14-17, 55-58, 
column 6, lines 35-39). 

As per claim 12, Hu discloses in an enterprise computing environment having a set 
of resource managers and a sign-on service, the enterprise computing environment 
comprising: 

• Means for authenticating a user to establish a user primary account associated with 
a user primary identity (column 1, lines 52-55, column 2, lines 3-5, 30-35, 42-45, 
column 4, lines 23-28); 

• Means for cooperating with the sign-on service to map the user primary account to a 
set of user secondary accounts associated with a set of user secondary identities 
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(column 2, lines 1-17, 20-25, 42-47, column 4, lines 44-55, column 5, lines 30-35, 
60-67, column 6, lines 1-11, 17-30); 

• Means for logging onto the set of resource managers using the user secondary 
accounts (column 3, lines 63-65, column 4, lines 53-55, column 6, lines 31-35); 

• Means for passing resource requests from the user to the resource managers under 
the user secondary accounts (column 3, lines 63-65, column 4, lines 53-55, column 
6, lines 31-35). 

As per claim 13, Hu discloses: 

• The server passes replies to the resource requests back to the user (column 4 lines 
14-17, 55-58, column 6, lines 35-39). 

As per claims 14 and 21, Hu discloses in an enterprise computing environment 
having a set of resource managers and a sign-on service, comprising: 

• Means for authenticating a user to establish a user primary account associated with 
a user primary identity (column 1 , lines 52-55, column 2, lines 3-5, 30-35, 42-45, 
column 4, lines 23-28); 

• Means for authenticating the server to the sign-on service, wherein the set of user 
secondary accounts is associated with a set of user secondary identities (column 1 , 
lines 52-55, column 2, lines 3-5, 30-35, 42-45, column 4, lines 23-28); 
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• Means for passing resource requests and associated replies between the user and 
the resource managers (column 3, lines 63-65, column 4, lines 53-55, column 6, 
lines 31-35). 

As per claim 15, Hu discloses: 

• Means for load balancing resource requests passed to a set of instances of a given 
resource manager (column 3, lines 63-65, column 4, lines 53-55, column 6, lines 31- 
35). 

As per claim 16, Hu discloses a system comprising: 

• A set of resource managers (column 4, lines 44-55, column 5, lines 30-35, 60-67, 
column 6, lines 1-11, 17-30); 

• A sign-on service (column 1, lines 52-55, column 2, lines 3-5, 30-35, 42-45, column 
4, lines 23-28); 

• A server comprising means for authenticating a user to establish a user primary 
accounts associated with primary user identities, means for logging a given user 
onto the set of resource managers using the user secondary accounts for the given 
user retrieved from the sign on service, wherein a set of user secondary accounts for 
a given user is associated with a set of user secondary identities for a given user, 
and means for passing resource requests and associated replies between the given 
user and the resource managers (column 2, lines 1-17, 20-25, 42-47, column 3, lines 
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63-65, column 4, lines 44-55, column 5, lines 30-35, 60-67, column 6, lines 1-11,17- 



As per claim 17, Hu discloses: 

• At least one resource manager comprises a set of instances (column 4, lines 44-55, 
column 5, lines 30-35, 60-67, column 6, lines 1-11, 17-30). 

As per claim 19, Hu discloses: 

• The server comprises a set of instances (column 4, lines 44-55, column 5, lines 30- 
35, 60-67, column 6, lines 1-11, 17-30). 

As per claim 20, Hu discloses: 

• A manager that manages the set of server instances (column 4, lines 44-55, column 
5, lines 30-35, 60-67, column 6, lines 1-11, 17-30). 



3. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 



35). 



Claim Rejections - 35 USC § 103 
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4. Claims 7, 15, and 18 are rejected under 35 U.S.C. 103(a) as being unpatenable 
over Hu in view of Brendel et al, (hereinafter "Brendel", 5,774,660). 

As per claims 7, 15, and 18, Hu does not explicitly disclose load balancing resource 
requests across a set of instances of a given resource manager. However, in an 
analogous art, Brendel discloses load balancing performed among nodes that have the 
requested resource (column 22, lines 65-67). 

Therefore, one of ordinary skill in the art at the time the invention was made would 
have found it obvious to implement or incorporate load balancing in Hu's method in 
order to avoid bottleneck and single point of failure and increase the efficiency of the 
system. 

Response to Arguments 
The Office notes the following arguments: 

(a) As should be apparent from the cursory reading of the rejection (Applicant states 
the Examiner's rejection to claim 1 in its entirety in the Request for Reconsideration, 
paper number 10), the rejection has taken multiple shortcuts in terms of form and logic 
that make it difficult for one to understand the anticipation argument that is supposedly 
presented by the rejection. For example it is difficult to understand why the same 
portions of Hu are cited as disclosing different elements within the claims. Additionally, 
it is difficult to understand why multiple portions of Hu are cited for disclosing one 
element within the claim. Moreover, some of the cited portions of Hu contain many 
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different kinds of processing steps, and it is difficult to understand why the anticipation 
rejection does not attempt to relate individual steps within the Hu to the individual steps 
in the method of claim 1 . Thus, Applicant must attempt to construct a logical argument 
from the cited portions without any additional statements within the rejection. 

(b) Applicant asserts that Hu does not disclose "a user primary identity" nor a "a set 
of user secondary identities". 

In response to: 

(a)-(b) Examiner would like to point out that the rejection made is of the same 
form and logic as previous rejections made (see paper number 4) for which the 
Applicant had no problem of understanding. Since the Applicant has found such great 
difficulty in comprehending the current rejection, the Examiner takes the opportunity to 
aid the Applicant in understanding the rejection made as it pertains to independent 
claim 1 (on which the other independent claims are similar). 

Hu discloses, "authenticating the user to establish a user primary identity", as 
stated in the independent claims, throughout the reference (see column 1, lines 52-55, 
column 2, lines 3-5, 30-35, 42-45, column 4, lines 23-35). Column 2, lines 3-5 state, 
"...calling, from the client system, an authentication gateway system, and supplying a 
user name and a security device; then obtaining, in the authentication gateway system, 
a set of..." Clearly, this portion of Hu discloses authenticating the user. By the user 
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supplying a username, the user is establishing a primary identity that will be used 
throughout the reference from which authentication to the resource managers will 
emanate. Column 2, lines 30-35 state "...means and proxy server means. The 
authentication means includes means for processing a log-in call from a client and 
receiving a user name and a security device from the client and means for obtaining a 
set of security credentials permitting client access to the server, and means for saving 
the security credentials and returning an access key to the client. The..." This portion 
also teaches the user being authenticated and establishing user primary identity which 
the username and password or security device. Column 4, lines 23-35 states "...client 
system includes a log-in procedure, and a client application process from which a server 
request will emanate. The log-in procedure is executed, as its name implies, only 
frequently, such as once a day. Part of the log-in procedure is a call to the 
authentication gateway to permit authentication within the client security domain. This 
call, indicated by line 34 carries as parameters the identity of the client and any 
necessary password or security code needed to satisfy the security requirements of the 
client security domain. The authentication gateway performs the operations necessary 
to verify the authenticity of the client. The authentication gateway acquires 
authentication credentials for the client and saves them for later user." Again, this 
portion discloses authenticating the user to establish a user primary identity. 

Hu discloses, "mapping the user primary identity to a set of user secondary 
identities", as stated in the independent claims, throughout the reference (see column 2, 
lines 1-18, 20-25, 42-47, column 4, lines 44-55, column 5, lines 30-35, 60-67, column 6, 
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lines 1-11, 17-30). Column 2, lines 1-18 states "In more specific terms, the method of 
the invention can be defined as comprising the steps of logging in to a server by calling, 
form the client system, an authentication gateway system, and supplying a user name 
and a security device; then obtaining, in the authentication gateway system, a set of 
security credentials that will permit client access to the server; and saving the security 
credentials and returning an access key to the credentials to the client. The next step is 
saving the access key in the client system. Subsequently, in a client application 
process, the client system performs the steps of retrieving the access key, calling a 
proxy server in the authentication gateway system, and passing the access key to the 
proxy server. Then, in the proxy server, the steps performed are using the access key 
to retrieve the security credentials, and using the retrieved security credentials to 
impersonate the client and call the server on the client's behalf. The step of logging in 
may include mutually authenticating the identities of the client and authentication 
gateway." Security credentials and the access key are "secondary identities" that are 
obtained from the user to identify the user. Column 2, lines 20-25 state "In addition, the 
method may include the steps of determining the identity of the client that logged in to 
the authentication gateway; determining the identity of the client that called and passed 
the access key; and comparing the client identities determined in the preceding two 
steps, to validate the identity of the client seeking access to the server." Indisputably, 
this passage states, "mapping the user primary identity to a set of user secondary 
identities". Hu discloses determining the identity of the user by passing the access key 
(secondary identity), which obtains the credentials (secondary identity), that was 
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received by the user at the initial authentication and comparing (matching) the initial 
identity (primary identity) with the credentials (secondary identity). Column 2, lines 42- 
47 states the similar "Preferably, the authentication means includes means for obtaining 
the identity of the client making the log-in call, and the proxy server means includes 
means for obtaining the identity of the client making the server call. The proxy server 
means also includes means for comparing this client identity with the one obtained by 
the authentication means, to verify..." The other passages cited show the same feature 
of mapping the user primary identity to a set of user secondary identities. 

Hu further discloses, "authenticating the user to the resource managers using the 
set of user secondary identities" (see column 2, lines 1-17, 20-25, 42-47, column 4, 
lines 44-55, column 5, lines 30-35, 60-67, column 6, lines 1-11, 17-30). Column 2, lines 
13-17 states "...Then, in the proxy server, the steps performed are using the access key 
to retrieve the security credentials, and using the retrieved security credentials to 
impersonate the client and call the server on the client's behalf..." Plainly this passage 
uses the access key and security credentials (secondary identities) to access the server 
(resource managers). Column 2, lines 20-25 state "In addition, the method may include 
the steps of determining the identity of the client that logged in to the authentication 
gateway; determining the identity of the client that called and passed the access key; 
and comparing the client identities determined in the preceding two steps, to validate 
the identity of the client seeking access to the server." Again, obtaining the access key 
(secondary identity) is used to authenticate the user before the user can have access to 
the server (managers). Column 6, lines 1-11 state "...necessary server credentials. 
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which are stored as a "security context" for the client. Although not shown, the 
authentication gateway process also invokes a service that provides the identity of the 
caller, i.e. the client, and stores the client identity with the security context information. 
As also shown, the authentication gateway process returns a server-based identity to 
the client. The identity is basically an access key to retrieve the stored security context. 
In the client log-in process, the server-based identity is saved in a id cache." Hu 
discloses the user having server credentials which are saved as "security context" which 
is another set of secondary identities used by the user to authenticate itself to the server 
(resource managers). Column 6, lines 17-30 state "...The next step performed in proxy 
server process, on receipt of the call from the client application process, is the call to the 
authentication gateway, to retrieve the stored security context, using the id as an access 
key. The proxy server process also determines who made the call. The client identity 
obtained in this step is compared with the client identity stored with the security context 
of the authentication gateway process. Comparing the two client identities eliminates 
the possibility that the client application process is using a server-based id that was not 
obtained legitimately during a log-in procedure." Clearly Hu discloses authenticating the 
user to the resource managers using the set of user secondary identities. The other 
passages cited show the same feature. 

Hu discloses "following authentication using the set of user secondary identities, 
forwarding resource requests to the resource managers (see column 3, lines 59-65, 
column 4, lines 52-55, column 6, lines 30-35). Column 3, lines 59-65 state "A client 
system wishes to use the services provided by a server system but does not have the 
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required software of hardware to conform to the server's requirements for 
authentication. Instead, the client system communicates with an authentication 
gateway computer system which communicates, in turn, with the server..." It is evident 
that Hu discloses forwarding the requests of the client to the server (resource 
managers) once the user has been authenticated. Column 4, lines 52-55 state "...the 
credentials of the client that were saved by the authentication gateway during the log-in 
procedure. At this point the proxy server has all the information it needs to make a call 
to the real server..." Again, Hu discloses using credentials (user secondary identities) to 
authenticate the user and then making a call to the server (forwarding resource 
requests to the resource managers). Column 6, lines 30-35 state "The proxy server 
process then uses the server-based id to retrieve the client security context to 
impersonate the client, and makes a call to the server using the appropriate server 
credentials. The server processes the call and returns any required output 
arguments..." Clearly, Hu discloses following authentication using the set of secondary 
identities (credentials, server-based id, security context), forwarding resource requests 
to the resource managers (server) in this passage. 

Hu further discloses "returning replies received from the resource managers back 
to the user (see column 4 lines 14-17, 55-58, column 6, lines 35-39). Column 4, lines 
14-17 state "If the service requested of the server requires that information be passed 
back to the client from the server, this information is passed through the proxy server 
acting as an intermediary." Explicitly, this passage discloses passing the information 
from the server (resource managers) back to the client (user). All other passages state 
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the same feature. Plainly, Hu discloses returning replies received from the resource 
managers back to the user. 

Examiner hopes that this clarification of the rejection, as it pertains to claim 1, is 
now clearly understandable by the Applicant. 



5. THIS ACTION IS MADE FINAL Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Barbara N Burgess whose telephone number is (703) 
305-3366. The examiner can normally be reached on M-F (8:00am-4:00pm). 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ario Ettinene can be reached on (703) 308-7562. The fax phone numbers 



Conclusion 



# 
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for the organization where this application or proceeding is assigned are (703) 872-9306 
for regular communications and (703) 872-9306 for After Final communications. 

Any inquiry of a general nature or relating to the status of this application or 
proceeding should be directed to the receptionist whose telephone number is (703) 305- 
3900. 



Barbara N Burgess 

Examiner 

Art Unit 21 57 



December 10, 2003 



SUPERVlSORy PATeif EXAMINE 
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